Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why doesn't kvStore lookup work, but join does?

plaid_blanket
Loves-to-Learn
‎02-01-2023 07:30 AM

I've got a kvStore lookup, AD_Obj_user, defined with fields objectSid, OU, sAMAccountName, and others.  It has case-insensitive matching.

I've got events that contain the field Sid.  I want to lookup the sAMAccountName and automate the lookup, but right now not even the manual lookup works.

This works:

 

 

 

| inputlookup AD_Obj_User where objectSid=S-1-2-34-56789012-345678901-234567890-123456

    | table objectSid sAMAccountName OU

 

 

 

but this does not work:

 

 

 

index=windows_client source="WinEventLog:PowerShell"  Sid=S-1-2-34-56789012-345678901-234567890-123456
| lookup AD_Obj_User objectSid AS Sid 
| table  OU Sid

 

 

 

I can do the lookup successfully, manually, by using this:

 

 

 

index=windows_client source="WinEventLog:PowerShell" Sid=S-1-2-34-56789012-345678901-234567890-123456
| eval objectSid=Sid
| join type=left objectSid [| inputlookup AD_Obj_User 
    | table objectSid sAMAccountName OU]
| eval User=sAMAccountName
| fields - sAMAccountName

 

 

 

but it won't get me towards automating the lookup.

Any ideas?  I'm stumped.

Labels (1)
Labels
0 Karma
Reply

plaid_blanket
Loves-to-Learn
‎02-01-2023 01:12 PM

Nope, no luck.

2023-02-01_14-06-51.jpg

If it helps, doing the lookup DOES do something, because this

index=windows_client source="WinEventLog:PowerShell" Sid=S-1-2-34-56789012-345678901-234567890-123456
| eval objectSid="this has content"
| lookup AD_Obj_User objectSid AS Sid OUTPUT objectSid
| table  OU Sid objectSid

returns a table that has the Sid column populated, but the other two columns blank (i.e., the lookup overwrites the "this has content" stuff in objectSid).

0 Karma
Reply

shivanshu1593
Builder
‎02-01-2023 09:32 AM

Try like this:

 

index=windows_client source="WinEventLog:PowerShell"  Sid=S-1-2-34-56789012-345678901-234567890-123456
| lookup AD_Obj_User objectSid AS Sid OUTPUT objectSid as Sid
| table  OU Sid

 

++If it helps, please consider accepting as answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...